Merge pull request #907 from franbuehler/sqli-rulerevision2

sqli rulerevision: disassembling sqli rules

Author: emphazer

rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf

@@ -0,0 +1,22 @@
+\!\=
+\&\&
+\|\|
+>>
+<<
+>=
+<=
+<>
+<=>
+\bxor\b
+\bregexp\b
+regexp\s+binary
+\bisnull\b
+\brlike\b
+rlike
+rlike\s+binary
+not\s+between\s+0\s+and
+is\s+null
+like\s+null
+^in[+\s]*\([\s\d\"]+[^()]*\)
+\Win[+\s]*\([\s\d\"]+[^()]*\)
+<>\s+binary

util/regexp-assemble/regexp-942120.data

@@ -0,0 +1,16 @@
+([\s'\"`\(\)]*?)([\d\w]++)([\s'\"`\(\)]*?)=([\s'\"`\(\)]*?)(?:\2)
+([\s'\"`\(\)]*?)([\d\w]++)([\s'\"`\(\)]*?)<=>([\s'\"`\(\)]*?)(?:\2)
+([\s'\"`\(\)]*?)([\d\w]++)([\s'\"`\(\)]*?)like([\s'\"`\(\)]*?)(?:\2)
+([\s'\"`\(\)]*?)([\d\w]++)([\s'\"`\(\)]*?)rlike([\s'\"`\(\)]*?)(?:\2)
+([\s'\"`\(\)]*?)([\d\w]++)([\s'\"`\(\)]*?)sounds\s+like([\s'\"`\(\)]*?)(?:\2)
+([\s'\"`\(\)]*?)([\d\w]++)([\s'\"`\(\)]*?)regexp([\s'\"`\(\)]*?)(?:\2)
+([\s'\"`\(\)]*?)([\d\w]++)([\s'\"`\(\)]*?)!=([\s'\"`\(\)]*?)(?!\2)([\d\w]+)
+([\s'\"`\(\)]*?)([\d\w]++)([\s'\"`\(\)]*?)<=([\s'\"`\(\)]*?)(?!\2)([\d\w]+)
+([\s'\"`\(\)]*?)([\d\w]++)([\s'\"`\(\)]*?)>=([\s'\"`\(\)]*?)(?!\2)([\d\w]+)
+([\s'\"`\(\)]*?)([\d\w]++)([\s'\"`\(\)]*?)<>([\s'\"`\(\)]*?)(?!\2)([\d\w]+)
+([\s'\"`\(\)]*?)([\d\w]++)([\s'\"`\(\)]*?)<([\s'\"`\(\)]*?)(?!\2)([\d\w]+)
+([\s'\"`\(\)]*?)([\d\w]++)([\s'\"`\(\)]*?)>([\s'\"`\(\)]*?)(?!\2)([\d\w]+)
+([\s'\"`\(\)]*?)([\d\w]++)([\s'\"`\(\)]*?)\^([\s'\"`\(\)]*?)(?!\2)([\d\w]+)
+([\s'\"`\(\)]*?)([\d\w]++)([\s'\"`\(\)]*?)is\s+not([\s'\"`\(\)]*?)(?!\2)([\d\w]+)
+([\s'\"`\(\)]*?)([\d\w]++)([\s'\"`\(\)]*?)not\s+like([\s'\"`\(\)]*?)(?!\2)([\d\w]+)
+([\s'\"`\(\)]*?)([\d\w]++)([\s'\"`\(\)]*?)not\s+regexp([\s'\"`\(\)]*?)(?!\2)([\d\w]+)

util/regexp-assemble/regexp-942130.data

@@ -0,0 +1,25 @@
+database\W*\(
+db_name\W*\(
+information_schema\b
+master\.\.sysdatabases\b
+msdb\b
+msysaccessobjects\b
+msysaccessstorage\b
+msysaccessxml\b
+msysaces\b
+msysmodules2\b
+msysmodules\b
+msysobjects\b
+msysqueries\b
+msysrelationships\b
+mysql\.db\b
+northwind\b
+pg_catalog\b
+pg_toast\b
+schema_name\b
+schema\W*\(
+sqlite_master\b
+sqlite_temp_master\b
+sysaux\b
+sys\.database_name\b
+tempdb\b

util/regexp-assemble/regexp-942140.data

@@ -0,0 +1,6 @@
+select\s+benchmark\s*?\(\s*?[(]?\s*?\w+
+;\s+benchmark\s*?\(\s*?[(]?\s*?\w+
+select\s+if\s*?\(\s*?[(]?\s*?\w+
+;\s+if\s*?\(\s*?[(]?\s*?\w+
+select\s+sleep\s*?\(\s*?[(]?\s*?\w+
+;\s+sleep\s*?\(\s*?[(]?\s*?\w+

util/regexp-assemble/regexp-942170.data

@@ -0,0 +1,21 @@
+\d[\"'`]\s+[\"'`]\s+\d
+^admin\s*?[\"'`]
+(\/\*)+[\"'`]+\s?
+(\/\*)+[\"'`]+\s?--
+(\/\*)+[\"'`]+\s?#
+(\/\*)+[\"'`]+\s?\/\*
+(\/\*)+[\"'`]+\s?{
+[\"'`]\s*?or[\w\s-]+\s*?[+<>=(),-]\s*?[\d\"'`]
+[\"'`]\s*?xor[\w\s-]+\s*?[+<>=(),-]\s*?[\d\"'`]
+[\"'`]\s*?div[\w\s-]+\s*?[+<>=(),-]\s*?[\d\"'`]
+[\"'`]\s*?like[\w\s-]+\s*?[+<>=(),-]\s*?[\d\"'`]
+[\"'`]\s*?between[\w\s-]+\s*?[+<>=(),-]\s*?[\d\"'`]
+[\"'`]\s*?and[\w\s-]+\s*?[+<>=(),-]\s*?[\d\"'`]
+[\"'`]\s*?[^\w\s]?=\s*?[\"'`]
+[\"'`]\W*?[+=]+\W*?[\"'`]
+[\"'`]\s*?[!=|][\d\s!=+-]+.*?[\"'`(].*?$
+[\"'`]\s*?[!=|][\d\s!=]+.*?\d+$
+[\"'`]\s*?like\W+[\w\"'`(]
+\sis\s*?0\W
+where\s[\s\w\.,-]+\s=
+[\"'`][<>~]+[\"'`]

util/regexp-assemble/regexp-942180.data

@@ -0,0 +1,20 @@
+[\"'`]\s*?!\s*?[\"'`\w]
+[\"'`];?\s*?having\b\s*?[^\s]
+[\"'`];?\s*?select\b\s*?[^\s]
+[\"'`];?\s*?union\b\s*?[^\s]
+\s*?exec.*?\Wxp_cmdshell
+\s*?execute.*?\Wxp_cmdshell
+\wiif\s*?\(
+connection_id\s*?\([^\)]*?
+current_user\s*?\([^\)]*?
+database\s*?\([^\)]*?
+exec\s+master\.
+execute\s+master\.
+from\W+information_schema\W
+into[\s+]+dumpfile\s*?[\"'`]
+into[\s+]+outfile\s*?[\"'`]
+schema\s*?\([^\)]*?
+select.*?\w?user\(
+union select @
+union[\w(\s]*?select
+user\s*?\([^\)]*?

util/regexp-assemble/regexp-942190.data

@@ -0,0 +1,14 @@
+,.*?[)\da-f\"'`][\"'`][\"'`].*?[\"'`]
+,.*?[)\da-f\"'`][\"'`]\Z
+,.*?[)\da-f\"'`][\"'`][^\"'`]+
+\Wselect.+\W*?from
+select\s*?\(\s*?space\s*?\(
+create\s*?\(\s*?space\s*?\(
+rename\s*?\(\s*?space\s*?\(
+truncate\s*?\(\s*?space\s*?\(
+load\s*?\(\s*?space\s*?\(
+alter\s*?\(\s*?space\s*?\(
+delete\s*?\(\s*?space\s*?\(
+update\s*?\(\s*?space\s*?\(
+insert\s*?\(\s*?space\s*?\(
+desc\s*?\(\s*?space\s*?\(

util/regexp-assemble/regexp-942200.data

@@ -0,0 +1,40 @@
+@.+=\s*?\(\s*?select
+\d+\s*?or\s*?\d+\s*?[\-+]
+\d+\s*?xor\s*?\d+\s*?[\-+]
+\d+\s*?div\s*?\d+\s*?[\-+]
+\d+\s*?like\s*?\d+\s*?[\-+]
+\d+\s*?between\s*?\d+\s*?[\-+]
+\d+\s*?and\s*?\d+\s*?[\-+]
+\/\w+;?\s+having\W
+\/\w+;?\s+and\W
+\/\w+;?\s+or\W
+\/\w+;?\s+xor\W
+\/\w+;?\s+div\W
+\/\w+;?\s+like\W
+\/\w+;?\s+between\W
+\/\w+;?\s+select\W
+\d\s+group\s+by.+\(
+;\s*?drop
+#\s*?drop
+--\s*?drop
+;\s*?alter
+#\s*?alter
+--\s*?alter
+;\s*?update\s*?\w{2,}
+#\s*?update\s*?\w{2,}
+--\s*?update\s*?\w{2,}
+;\s*?insert\s*?\w{2,}
+#\s*?insert\s*?\w{2,}
+--\s*?insert\s*?\w{2,}
+[^\w]SET\s*?@\w+
+and[\s(]+\w+[\s)]*?[!=+]+[\s\d]*?[\"'`=()]
+nand[\s(]+\w+[\s)]*?[!=+]+[\s\d]*?[\"'`=()]
+or[\s(]+\w+[\s)]*?[!=+]+[\s\d]*?[\"'`=()]
+xor[\s(]+\w+[\s)]*?[!=+]+[\s\d]*?[\"'`=()]
+xxor[\s(]+\w+[\s)]*?[!=+]+[\s\d]*?[\"'`=()]
+div[\s(]+\w+[\s)]*?[!=+]+[\s\d]*?[\"'`=()]
+like[\s(]+\w+[\s)]*?[!=+]+[\s\d]*?[\"'`=()]
+between[\s(]+\w+[\s)]*?[!=+]+[\s\d]*?[\"'`=()]
+not[\s(]+\w+[\s)]*?[!=+]+[\s\d]*?[\"'`=()]
+\|\|[\s(]+\w+[\s)]*?[!=+]+[\s\d]*?[\"'`=()]
+\&\&[\s(]+\w+[\s)]*?[!=+]+[\s\d]*?[\"'`=()]

util/regexp-assemble/regexp-942210.data

@@ -0,0 +1,5 @@
+alter\s*?\w+.*?character\s+set\s+\w+
+alter\s*?\w+.*?char\s+set\s+\w+
+[\"'`];*?\s*?waitfor\s+time\s+[\"'`]
+[\"'`];*?\s*?waitfor\s+delay\s+[\"'`]
+[\"'`];.*?:\s*?goto